CyberheistNews Vol 12 #05 [Heads Up] DHS Sounds Alarm on New Russian Destructive Disk Wiper Attack Potential



 

CyberheistNews Vol 12 #05  |   Feb. 1st., 2022
[Heads Up] DHS Sounds Alarm on New Russian Destructive Disk Wiper Attack Potential

CNN just reported on a Jan 23 Intelligence Bulletin from the US Department of Homeland Security (DHS) that warned state and local governments and critical infrastructure operators about the risk of Russia hitting the US with cyber attacks in retaliation for a possible US or NATO response to a potential Russian invasion of Ukraine.

The agency said Russia could employ anything from denial-of-service attacks to more destructive ones aimed at disrupting critical infrastructure.

Specifically, CISA just highlighted a warning by Microsoft about malware focused on deleting the Master Boot Record of Windows devices that was being used in attacks on Ukrainian organizations.

CISA also put out a set of recommendations – particularly if your organization is working with a Ukrainian business or has an office in Ukraine– that includes steps to reduce the likelihood of attack, detection of potential intrusions, incident response should an attack occur, and a focus on being cyber resilient.

CISA noted with concern: "The identification of destructive malware is particularly alarming given that similar malware has been deployed in the past—e.g., NotPetya and WannaCry ransomware—to cause significant, widespread damage to critical infrastructure".

Remember the 2017 NotPetya attack? In a report published by Wired, a White House assessment pegged the total damages brought about by NotPetya to more than $10 billion. This was confirmed by former Homeland Security adviser Tom Bossert, who at the time of the attack was the most senior cybersecurity focused official in the US government.

More recently, "58% of all cyberattacks from nation-states have come from Russia," said Tom Burt, Microsoft corporate vice president.

The downtime caused by NotPetya was horrendous. Think your cybersecurity insurance might cover the cost? Not so fast. Some insurance companies cited “act of war” exclusions to try to avoid covering the NotPetya damage. This is now in the courts, and this WSJ article is great ammo to add to a budget request.

Cybersecurity has moved from IT to a CEO and board-level business issue

You did not sign up for this, but today it is abundantly clear that as an IT pro you find yourself on the front line of 21-st century cyber war. Cybersecurity has moved from IT to a CEO and board-level business issue. I strongly suggest you have another look at your defense-in-depth, and make sure to:
  • Have weapons-grade backups
  • Religiously patch
  • Step your users through refresher security awareness training
Now that the new year has started and you need to comply with a raft of regulations, it's a great time to schedule your users for a refresher awareness training module to keep them on their toes with security top of mind.

Blog post with links:
https://blog.knowbe4.com/heads-up-dhs-sounds-alarm-on-new-russian-destructive-disk-wiper-attack-potential
[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, February 9 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at TWO NEW FEATURES and see how easy it is to train and phish your users.
  • NEW! Security Culture Benchmarking Feature compare your organization’s security culture with your peers
  • NEW! AI-Driven training recommendations for your end users in their own UI
  • Brandable Content feature gives you the option to add branded custom content to select training modules
  • Did You Know? You can upload your own SCORM training modules into your account for home workers
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes
Find out how 40,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, February 9 @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/3594855/B56090726426328F0038884E8EBB750A?partnerref=CHN
Microsoft Warns of Latest “Consent Phishing” Attack Intent on Reading Your Email

Rather than steal your user’s credentials, this latest attack takes the OAuth route to gain access to the victim’s mailbox. This gives cybercriminals continual access, regardless of whether the user is logged on or not.

We’ve seen a number of these kinds of phishing attacks over the last 12 months targeting mailbox access within Microsoft 365 and even posing as Coinbase. If you’re not familiar with these attacks, rather than trick the phishing victim into providing their Microsoft 365 credentials (which can easily be reset), the attack poses as a legitimate app and asks for application access to your mailbox (for reference, Outlook Mobile does this to facilitate continual access for your mobile phone to access your Microsoft 365 mailbox).

In a recent tweet from Microsoft Security Intelligence, a new App – simply entitled “Upgrade” – was identified asking for OAuth permissions that would allow attackers to create inbox rules, read and write emails and calendar items, and read contacts. It’s also noted that suspicious Inbox Rules are created by this access and appear to exfiltrate emails.

The pivotal point where the attack can be stopped is when the malicious app is asking for access. Educating users would help ensure they are aware that – other than something like Outlook Mobile or another legitimate application – no unexpected phishing email EVER needs access to their mailbox.

Blog post with links:
https://blog.knowbe4.com/microsoft-warns-of-latest-consent-phishing-attack-intent-on-reading-your-email
See How You Can Get Audits Done in Half the Time, Half the Cost and Half the Stress

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.

Join us Wednesday, February 9 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at new compliance management features we've added to make managing your compliance projects even easier!
  • NEW! Control guidance feature provides in-platform suggestions to help you create controls to meet your requirements for frameworks such as CMMC, GDPR, HIPAA, NIST, PCI, SSAE 18, and more
  • Vet, manage and monitor your third-party vendors' security risk requirements
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30
  • Quick implementation with pre-built compliance requirements and policy templates for the most widely used regulations
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due

Date/Time: Wednesday, February 9 @ 1:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/3594832/57C1A9C3C236C0F3332FDA1714D040A9?partnerref=CHN
Ransomware Operators Try to Recruit Insiders With Big Money

Sixty-five percent of organizations report that their employees have been contacted by ransomware attackers in an attempt to recruit insider threats, according to researchers at Pulse and Hitachi ID.

“Since our last survey conducted in November, there has been a 17% increase in the number of employees and executives who have been approached by hackers to assist in ransomware attacks,” the researchers write. “To combat this rising threat, businesses must take a proactive offensive approach to cybersecurity or face financial and reputational damage.

To gain a better understanding of the different types of ransomware threats, Pulse and Hitachi ID surveyed 100 IT and security executives on how hackers are approaching employees, how ransomware is impacting an organization’s cybersecurity approach, and how prepared businesses really are to combat these attacks.”

The majority (59%) of these requests came through emails, while 27% were made through phone calls. 21% arrived via social media messages. Most of the employees were offered more than $500,000 for assisting the attackers, and some were offered up to $1,000,000.

Blog post with links:
https://blog.knowbe4.com/ransomware-operators-try-to-recruit-insiders
A Data-Driven Approach for Your Third-Party Risk Management Processes

As organizations have increased their scope of vendors and partners, they have also increased their digital risk surface and are facing new challenges regarding vendor risk management. By taking a data-driven approach to identifying, understanding, and acting on risk, you can efficiently eliminate your organization's most critical third-party security gaps.

Join Roger Grimes, KnowBe4's Data-Driven Defense Evangelist, 30-year security veteran, and former auditor who has passed the CPA and CISA exams. Roger will show you how to leverage your organizations’ data to significantly improve your third-party risk management program.

Roger will show you:
  • The evolution of vendor risk management
  • Differences between traditional risk management and "real" risk management, and why it matters
  • How to create a data-driven risk management plan using best practices
Learn how you can close your organization's most critical third-party security gaps by taking a data-driven approach to identifying, understanding, and acting on risk. And earn CPE credit for attending.

Date/Time: TOMORROW, Wednesday, February 2 @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/3621931/A3D984E91013C2B8CA938D094CAB9E08?partnerref=CHN

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: This unique new KnowBe4 feature enables you to compare your security culture with your peers:
https://blog.knowbe4.com/new-benchmarking-feature-compare-your-organizations-security-culture-with-other-organizations-in-your-industry

PPS: From Yours Truly for your C-Suite - "What your organization looks like in the eyes of a cyber attacker":
https://www.fastcompany.com/90714629/what-your-organization-looks-like-in-the-eyes-of-a-cyber-attacker

Quotes of the Week
"It is not because things are difficult that we do not dare, it is because we do not dare that they are difficult."
- Lucius Annaeus Seneca - Philosopher, Statesman, Dramatist (5 BC - 65 AD)


"If you would be a real seeker after truth, it is necessary that at least once in your life you doubt, as far as possible, all things."
- René Descartes - Philosopher (1596 - 1650)


Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-12-05-dhs-sounds-alarm-on-new-russian-destructive-disk-wiper-attack-potential

Security News
Dark Herring Infected More Than 105 Million Android Devices

Researchers at Zimperium have discovered an Android malware campaign that’s infected more than 105 million devices around the world. The malware, called “Dark Herring,” was distributed through Google Play and third-party app stores (though Google has since removed the malicious apps from its store).

It’s scamware, malware whose operators inveigle the victims into unwittingly signing up for premium services. “These malicious Android applications appear harmless when looking at the store description and requested permissions, but this false sense of confidence changes when users get charged month over month for premium service they are not receiving via direct carrier billing,” the researchers write.

“Direct carrier billing, or DCB, is the mobile payment method that allows consumers to send charges of purchase made to their phone bills with their phone number. Unlike many other malicious applications that provide no functional capabilities, the victim can use these applications, meaning they are often left installed on the phones and tablets long after initial installation.”

Zimperium notes that the campaign is particularly effective because the apps are tailored to the targeted countries. “The Dark Herring mobile applications pose a threat to all Android devices by functioning as a scamware that subscribes users to paid services, charging an average monthly premium of $15 USD per month,” the researchers write.

“This campaign has targeted millions of users from over 70 countries by serving targeted malicious web pages to users based on the geo-location of their IP address with the local language. This social engineering trick is exceptionally successful and effective as users are generally more comfortable with sharing information to a website in their local language.”

The researchers also point out that the apps function like legitimate apps, so victims won’t suspect that they’ve been infected.

“In addition to over 470 Android applications, the distribution of the apps was extremely well-planned, spreading their apps across multiple, varied categories, widening the range of potential victims,” the researchers write.

“The apps themselves also functioned as advertised, increasing the false sense of confidence.”

Zimperium has the story:
https://blog.zimperium.com/dark-herring-android-scamware-exceeds-100m-installations/
A Generational Divide Among Social Engineering Victims

Younger and older people differ in their susceptibility to different types of social engineering attacks, according to researchers at Avast. Younger people tend to fall for scams distributed through social media apps, while older people are more likely to fall for banking and tech support scams.

“The most important internet activity for 18-24-year-olds is using social media (37%),” Avast said in a press release. “For 25-34 year olds, it’s staying in contact with friends and family via messenger services and emails (40%), and for 35-44 year olds, it’s banking and finance activities (40%).

This shows why the younger generation are targeted on their smartphone with scams on Instagram and TikTok, FluBot SMS and email phishing scams that look like they’ve come from friends or family, and mobile banking Trojans.”

The researchers explain that older users tend to be targeted by attacks that affect desktop computers. “In comparison, the most important activities for the older generation are banking and finance activities (55-64: 55%, 65+: 70%), followed by staying in contact with friends and family via messenger services and email (55-64: 47%, 65+: 56%), and using a search engine (55-64: 33%, 65+: 38%),” Avast adds.

“This helps to explain why they are more likely to be targets for key threats on computers including ransomware, email phishing scams and spyware/Trojans targeting their finances, and tech support scams.”

Jaya Baloo, Chief Information and Security Officer at Avast, noted that despite these trends, anyone of any age can fall for social engineering scams.

“Of course, younger generations are also susceptible to desktop-related threats as they use desktop devices as their secondary tool to go online, and vice versa older generations also use smartphones, but it’s important that New Zealanders understand the different types of online threats that are targeted at different devices and that you discuss all of these threats as a family so each person is up to date and aware of how to stay safe whatever device they happen to be using,” Baloo said.

“Different generations may see the internet with different eyes and have different online experiences, which is something to keep in mind when having conversations about online safety at home.”

New-school security awareness training can help employees of all ages avoid falling for phishing and other social engineering attacks.

Scoop has the story:
https://www.scoop.co.nz/stories/BU2201/S00166/the-cyber-security-attack-divide-grandparents-targeted-by-ransomware-young-adults-by-tiktok-scams.htm
What KnowBe4 Customers Say

"Hello Stu, Thank you so very much for reaching out! Yes, the training and phishing service are definitely getting good results for us. I am really appreciating having a place that helps manage and track training and phishing campaigns all in one place, and the fact that I can lose the spreadsheet!

The staff are also enjoying the different format, and the ability to do the training on their own time as opposed to a scheduled meeting.

Also want to say how much I appreciate the support from Grace. She has been an absolute star at getting us up and running!"
- T.B., Privacy Officer


"Hey Stu, things are going great with your product! It's been adopted and integrated across our userbase quite well. Using it to educate and test my users has quickly become one of my favorite job duties.

The back-end interface is mostly good, and I especially love that it continues to improve. It seems like every time I hop on a new feature is added or an improvement is made.

Finally, the person assigned as our account manager, LexieN, is awesome. She's been so great at being there to help us set everything up, learn the product, and roll it out. If you can deliver, or send down the chain of command, a high-five to her on my behalf I'd be much obliged.

Thanks for reaching out and checking on us. We're excited to be using KnowBe4 in the coming years."
- D.J., Systems Administrator


The 10 Interesting News Items This Week
  1. [OPINION] Will World War III begin in cyberspace?:
    https://www.computerworld.com/article/3647879/will-world-war-iii-begin-in-cyberspace.html

  2. DHS Warns of Potential for Russian Cyberattacks Against US Targets:
    https://www.darkreading.com/attacks-breaches/dhs-sounds-alarm-on-potential-for-major-russian-cyberattacks-on-us

  3. What CISA Incident Response Playbooks Mean for Your Organization:
    https://securityintelligence.com/articles/cisa-incident-response-playbooks-perspective/

  4. Personal identifying information for 1.5 billion users was stolen in 2021, but from where?:
    https://www.techrepublic.com/article/personal-identifying-information-for-1-5-billion-users-was-stolen-in-2021-but-from-where/

  5. JBS paid $11 million in ransom after cyberattack, company says:
    https://abcnews.go.com/Business/jbs-paid-11-million-ransom-cyber-attack-company/story?id=78185017

  6. Russia arrests leader of “Infraud Organization” hacker group:
    https://www.bleepingcomputer.com/news/security/russia-arrests-leader-of-infraud-organization-hacker-group/

  7. Hactivists say they hacked Belarus rail system to stop Russian military buildup:
    https://arstechnica.com/information-technology/2022/01/hactivists-say-they-hacked-belarus-rail-system-to-stop-russian-military-buildup/

  8. TrickBot now crashes researchers' browsers to block malware analysis:
    https://www.bleepingcomputer.com/news/security/trickbot-now-crashes-researchers-browsers-to-block-malware-analysis/

  9. German govt warns of APT27 hackers backdooring business network:
    https://www.bleepingcomputer.com/news/security/german-govt-warns-of-apt27-hackers-backdooring-business-networks/

  10. What Happens When Russian Hackers Come for the Electrical Grid:
    https://www.bloomberg.com/news/features/2022-01-26/what-happens-when-russian-hackers-cyberattack-the-u-s-electric-power-grid

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2022 KnowBe4, Inc. All rights reserved.



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews